From: Miguel F. <mfr...@gm...> - 2007-04-02 17:27:00
|
On 4/2/07, Diego 'Flameeyes' Petten=F2 <fla...@gm...> wrote: > Well, https pushing isn't strictly needed because there is SSH pushing. > The (big) drawback here is that you have to take care of security on > your own. If a serious vulnerability is found in Mercurial, and you > don't upgrade, you are putting SF.net up to risk. I'm not even sure if > this conforms or not with the TOS, but in general is not something I'd > like to do to someone else. (trying to understand - remember i'm new to mercurial) you mean that mercurial's python backend, which is executed from apache context, could possibly be exploited by someone without a ssh account on sf? > And counting on Murphy's law, the moment someone takes care of > administering the Mercurial copy, that person is doomed to disappear > for a few months, during which a very serious vulnerability to > Mercurial is going to be found; and he forgot to add group access to > the files. it doesn't sound that bad to me... i mean, of course one has to be careful about group permissions but if he disappears from earth we can always fill a support request. I'm just asking because i've never heard of alioth before (but it is clear it exists for quite a while) and i don't know the reliability issues it might have. for example: http://lists.debian.org/debian-devel-announce/2007/02/msg00015.html http://lists.alioth.debian.org/pipermail/sane-devel/2006-January/015803.htm= l it looks like a small server infrastruture... i trust the admins are certainly doing their best to support the debian community but sometimes not having resources to buy more hardware can be a problem... in short: i'm not, a priori, against alioth. i just think we should weight: - the annoyance of asking every developer to create new account on a different server, remapping users - reliability issues - security issues - support availability - better hg support? - ? Miguel |